5 min read By Excello Mail Team

DEBULL and ARToken: Device-Code Phishing Kits That Never Touch a Fake Login Page

Two phishing-as-a-service platforms disclosed in the first week of July 2026, DEBULL and ARToken, use Microsoft's own device-code sign-in flow to hijack Microsoft 365 accounts without stealing a password or building a fake login page. Once inside, they send BEC email through the victim's real, fully authenticated tenant.

Two phishing-as-a-service platforms surfaced in the first week of July 2026, and neither one builds a fake login page. DEBULL, documented by researchers at ZeroBEC, and ARToken, an affiliate panel of the EvilTokens platform exposed by Cisco Talos, both rely on a legitimate Microsoft authentication mechanism to take over Microsoft 365 accounts. There is no credential harvesting page for a security team to spot, no lookalike domain to flag, and no password for the victim to type into the wrong place. The victim signs in through Microsoft’s real login experience. The access just goes to someone else.

How Device-Code Phishing Works

Both kits abuse the OAuth 2.0 Device Authorization Grant, a flow Microsoft built for devices without a browser or keyboard, like smart TVs or conference room hardware. The legitimate version asks a user to visit microsoft.com/devicelogin, enter a short code, and approve the sign-in on a device that already trusts them. Attackers repurpose the same flow as a lure: a message themed around a shared document, a calendar invite, or a collaboration request pushes the target to that same real Microsoft page, with a code the attacker’s backend generated moments earlier. The victim enters the code and approves what looks like a routine sign-in prompt. A broker on the attacker’s side polls Microsoft’s servers in the background and receives the resulting access token the instant the victim clicks approve. Multi-factor authentication does not stop this, because the victim is the one completing it, on the real Microsoft site, for a session the attacker is silently riding along with.

Industrializing the Post-Compromise Stage

What makes DEBULL and ARToken notable is not the device-code technique itself, which security researchers have tracked since the Storm-2372 campaigns disclosed earlier in 2026. It is how far each platform automates what happens after the token lands. DEBULL builds on GraphSpy-derived tooling for Microsoft 365 and Entra ID post-exploitation, giving operators a point-and-click way to run reconnaissance and maintain access once inside a tenant. ARToken goes further: Talos found a React-based operator dashboard exposing more than 80 API endpoints covering Primary Refresh Token persistence, mailbox access, SharePoint exfiltration, and a dedicated business email compromise module. That module gives an affiliate full read access to the victim’s Outlook inbox, the ability to send mail as the victim, the ability to create inbox rules that silently forward or delete messages, and keyword-based monitoring across every compromised mailbox at once, so an operator running dozens of accounts gets alerted the moment an invoice or wire-transfer thread appears in any of them. Talos also observed lures that abuse a real vendor relationship rather than invent one, impersonating an accounts-payable contact at an actual contractor to reach an accounts-payable recipient at a real customer of that contractor.

Where DMARC Has Nothing to Add

This is the same structural gap we have described before with account-takeover phishing kits, and it is worth restating precisely because these two platforms make it so clean. DMARC, SPF, and DKIM verify that a message traveled through infrastructure the domain owner authorized to send on its behalf. When ARToken sends a BEC email from a compromised mailbox, it does so through Microsoft’s own Exchange Online servers, using the victim’s own valid session, under the victim’s own domain. Every signal DMARC checks is genuine, because the infrastructure genuinely belongs to the sender’s organization. The device-code flow did not forge anything DMARC inspects; it obtained a real, standing authorization to act as the account, and DMARC was never designed to ask whether that authorization was itself granted under false pretenses. A domain sitting at strict DMARC enforcement will watch this mail sail through with a clean pass, aggregate reports and all, because from DMARC’s perspective nothing about the message is inauthentic.

What Security Teams Need to Do

Restrict the device-code flow itself. Conditional Access policies can block the device code authentication flow entirely for users who do not need it, which is most of an organization. Microsoft has published guidance on scoping or disabling this flow, and it closes the entry point these kits depend on rather than reacting to what happens after.

Watch for device-code sign-in events. Entra ID sign-in logs record device-code authentications distinctly from normal interactive logins. A spike in this authentication type, especially from users who have never used it before, is a strong and specific detection signal that predates any downstream email abuse.

Treat inbox rule creation as a high-priority alert. Both DEBULL-style and ARToken-style post-exploitation lean on silent forwarding and deletion rules to hide their tracks. Alerting on new inbox rules that forward externally or auto-delete messages catches the BEC stage even after the initial token theft succeeds.

Train users on what a legitimate device-code prompt should never accompany. A calendar invite or shared-document notification that then routes to a Microsoft sign-in code entry page is not a normal pattern for most collaboration tools. That mismatch is the one moment a human can still catch what authentication protocols cannot.

The Takeaway

DMARC enforcement remains the right baseline, and it still shuts down the far more common case of an outsider forging a From header with no foothold in your systems at all. DEBULL and ARToken are a reminder that the industry has moved past that baseline case. When phishing-as-a-service platforms package the entire path from a fake calendar invite to a working session token to an automated BEC payout in one dashboard, the mail that results will authenticate perfectly, because it is not lying about where it came from. The compromise happened one step earlier, at the sign-in prompt, and that is where defenses now have to concentrate.


Excello Mail gives you continuous visibility into your DMARC aggregate reports and sending sources, so you can see exactly what is authenticating as your domain and act fast when something looks wrong. Sign up for free to Excello Mail to keep that visibility in place while your team closes gaps like device-code account takeover.